Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Fake WhatsApp update on Google Play promoted malware disguised as game

A fake WhatsApp application that was downloaded one million times from the Google Play Store was observed advertising a malicious game app that infects users with secondary malware capable of click fraud, data extraction, and SMS surveillance.

Initially discovered by Reddit users on Nov. 3, and subsequently investigated by Zimperium's zLabs research team, the phony Android WhatsApp program, named “Update WhatsApp Messenger,” exhibits prototypical ad fraud behavior.

Upon installation, the app is difficult to find because its developer – deceivingly named “WhatsApp Inc. ” with a non-breaking space at the end – set an empty app_name value and designed the icon to appear transparent, according to a blog post from Zimperium malware researcher Matteo Favaro. Still, if the user can find it and launch it, the malware begins displaying various advertisements for additional apps, which if clicked upon sends the users back to the Google Play Store in order to install them

One such ad is for a game called Cold Jewel Lines, which looks similar to a Candy Crush-type app. Even though the game was found to fully work, it was by every definition a malicious APK capable of communicating with a command-and-control server, performing ad-autoclicking activities, exfiltrating device data, parsing and extracting information from received SMS texts, and possibly executing other malicious payloads and shell commands.

According to Zimperium, the malware can extract such sensitive data as the IMEI (International Mobile Equipment Identity) number, IMSI (international mobile subscriber identity) number, Android UUIDs (Universally Unique Identifier), operator, Wi-Fi network, MAC identifier, manufacturer, root status, and user agent.

Researchers also learned that the malware's C&C server is linked to the domains alfa-aaa.site and ex2cloud.xyz seem.

Google removed Cold Jewel Lines from its Play Store on Nov. 21, one day after Zimperium disclosed the malware to the company. The WhatsApp update was apparently also removed earlier that month.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.